Analysis
-
max time kernel
99s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:45
Behavioral task
behavioral1
Sample
15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe
-
Size
386KB
-
MD5
abbe71f641153c53373ba8aa989e3260
-
SHA1
029b134d541628379d0ee8b7b1068e0dff38a843
-
SHA256
15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8
-
SHA512
65b861833a4f94deea4bae6f89c3b32652e9d76cd171bc96698339200807c3d12218a15057bddfcdf182695ebc1f43f3646e374d2bc27b8db1ad0ca442f2e2fc
-
SSDEEP
12288:ezZ0WwQZ7287xmPFRkfJg9qwQZ7287xmPB:ezBZZ/aFKm9qZZ/aB
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnbpcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgmch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjoep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgelbhmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oefcef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfpinnfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knldaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndoenlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iachom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jandikbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcdkagga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgbfen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnncb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikojfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmommnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkhbfcii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eligoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmlpjhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jejgcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fknnfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgjdecca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfhficcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehfjbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjpqmhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akjhcimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njklioqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjpdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qajiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbibfmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjqinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bopbeopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccinpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbihmcqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkalph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmgdpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgbemjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmogkkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipenn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikaglgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppgfciee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibbioilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cadfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbiokdam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okamjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abjnei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbjgjqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfganb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmojcceo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcahdib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiioanpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdckgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpieg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfemdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcmnbbja.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3008 Kdincdcl.exe 2856 Kppohf32.exe 2864 Kihcakpa.exe 2748 Kikpgk32.exe 2716 Lpbhmiji.exe 2616 Mpeebhhf.exe 1660 Mookod32.exe 1172 Ndbjgjqh.exe 580 Ncggifep.exe 3036 Onhnjclg.exe 2972 Ojoood32.exe 2248 Papmlmbp.exe 1704 Ppgfciee.exe 2908 Aekelo32.exe 368 Aniffaim.exe 2216 Bfpkfb32.exe 1076 Cofohkgi.exe 1052 Dkaihkih.exe 1944 Dcojbm32.exe 1396 Djkodg32.exe 2008 Ehopnk32.exe 524 Eleobngo.exe 1004 Eenckc32.exe 1748 Feppqc32.exe 2124 Febmfcjj.exe 1708 Fdhigo32.exe 2988 Glhhgahg.exe 2448 Ginefe32.exe 2148 Gcifdj32.exe 2832 Hfiofefm.exe 2744 Hqemlbqi.exe 2592 Hfdbji32.exe 2508 Igdndl32.exe 2112 Ibbioilj.exe 2888 Iniidj32.exe 2004 Jnlfjjpl.exe 2540 Jckkhplq.exe 1616 Jmhile32.exe 1272 Jfpndkel.exe 2512 Kmjfae32.exe 2192 Kbgnil32.exe 1968 Khdgabih.exe 1552 Kopldl32.exe 2584 Kdoaackf.exe 1000 Kkiiom32.exe 1556 Lgpjcnhh.exe 948 Lgbfin32.exe 1528 Llooad32.exe 2256 Mdkmld32.exe 392 Obniel32.exe 2852 Pihnqj32.exe 1184 Peooek32.exe 2928 Pafpjljk.exe 2724 Pnjpdphd.exe 2772 Qajiek32.exe 2956 Qfganb32.exe 1020 Adkbgf32.exe 2700 Alfflhpa.exe 2016 Aogpmcmb.exe 2492 Afngoand.exe 800 Abehcbci.exe 848 Aolihc32.exe 2604 Bkbjmd32.exe 288 Bhfjgh32.exe -
Loads dropped DLL 64 IoCs
pid Process 1680 15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe 1680 15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe 3008 Kdincdcl.exe 3008 Kdincdcl.exe 2856 Kppohf32.exe 2856 Kppohf32.exe 2864 Kihcakpa.exe 2864 Kihcakpa.exe 2748 Kikpgk32.exe 2748 Kikpgk32.exe 2716 Lpbhmiji.exe 2716 Lpbhmiji.exe 2616 Mpeebhhf.exe 2616 Mpeebhhf.exe 1660 Mookod32.exe 1660 Mookod32.exe 1172 Ndbjgjqh.exe 1172 Ndbjgjqh.exe 580 Ncggifep.exe 580 Ncggifep.exe 3036 Onhnjclg.exe 3036 Onhnjclg.exe 2972 Ojoood32.exe 2972 Ojoood32.exe 2248 Papmlmbp.exe 2248 Papmlmbp.exe 1704 Ppgfciee.exe 1704 Ppgfciee.exe 2908 Aekelo32.exe 2908 Aekelo32.exe 368 Aniffaim.exe 368 Aniffaim.exe 2216 Bfpkfb32.exe 2216 Bfpkfb32.exe 1076 Cofohkgi.exe 1076 Cofohkgi.exe 1052 Dkaihkih.exe 1052 Dkaihkih.exe 1944 Dcojbm32.exe 1944 Dcojbm32.exe 1396 Djkodg32.exe 1396 Djkodg32.exe 2008 Ehopnk32.exe 2008 Ehopnk32.exe 524 Eleobngo.exe 524 Eleobngo.exe 1004 Eenckc32.exe 1004 Eenckc32.exe 1748 Feppqc32.exe 1748 Feppqc32.exe 2124 Febmfcjj.exe 2124 Febmfcjj.exe 1708 Fdhigo32.exe 1708 Fdhigo32.exe 2988 Glhhgahg.exe 2988 Glhhgahg.exe 2448 Ginefe32.exe 2448 Ginefe32.exe 2148 Gcifdj32.exe 2148 Gcifdj32.exe 2832 Hfiofefm.exe 2832 Hfiofefm.exe 2744 Hqemlbqi.exe 2744 Hqemlbqi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jejgcp32.exe Jlackjgd.exe File created C:\Windows\SysWOW64\Kaigmoiq.exe Kimbhl32.exe File created C:\Windows\SysWOW64\Djkodg32.exe Dcojbm32.exe File created C:\Windows\SysWOW64\Dfhficcn.exe Djaedbnj.exe File created C:\Windows\SysWOW64\Olmmho32.dll Gklnmgic.exe File opened for modification C:\Windows\SysWOW64\Jgjkhi32.exe Jkcjchco.exe File opened for modification C:\Windows\SysWOW64\Onmkhlph.exe Nedfofig.exe File created C:\Windows\SysWOW64\Dmklikob.exe Depgeiag.exe File opened for modification C:\Windows\SysWOW64\Bainld32.exe Bhqico32.exe File opened for modification C:\Windows\SysWOW64\Djhnmj32.exe Dfjegl32.exe File created C:\Windows\SysWOW64\Hjgnhf32.exe Hblidd32.exe File opened for modification C:\Windows\SysWOW64\Geoegm32.exe Gndpcj32.exe File opened for modification C:\Windows\SysWOW64\Gbpaef32.exe Gkehhlef.exe File created C:\Windows\SysWOW64\Neilfn32.dll Jaklei32.exe File created C:\Windows\SysWOW64\Cnoamj32.exe Ccinpa32.exe File created C:\Windows\SysWOW64\Jmbahk32.dll Bnhljnhm.exe File created C:\Windows\SysWOW64\Fenedlec.exe Ddlloi32.exe File created C:\Windows\SysWOW64\Ilolol32.exe Hcghffen.exe File created C:\Windows\SysWOW64\Mmmodpob.dll Ndcnik32.exe File created C:\Windows\SysWOW64\Ciifgpjl.dll Fnleqj32.exe File opened for modification C:\Windows\SysWOW64\Eaacch32.exe Ehiojb32.exe File created C:\Windows\SysWOW64\Pkhmce32.dll Pkdknq32.exe File created C:\Windows\SysWOW64\Anppiikk.exe Aplppela.exe File created C:\Windows\SysWOW64\Pdmbpo32.exe Pjemgibi.exe File created C:\Windows\SysWOW64\Jcpglhpo.exe Jijbnppi.exe File created C:\Windows\SysWOW64\Piagjhdh.dll Ehkgnpbe.exe File created C:\Windows\SysWOW64\Jandikbp.exe Jpnhoh32.exe File opened for modification C:\Windows\SysWOW64\Aiaqie32.exe Qhadob32.exe File created C:\Windows\SysWOW64\Ejoagm32.exe Ejleamon.exe File opened for modification C:\Windows\SysWOW64\Lmdamojp.exe Kdlmdi32.exe File created C:\Windows\SysWOW64\Pafpjljk.exe Peooek32.exe File opened for modification C:\Windows\SysWOW64\Jgeoda32.exe Jddfbf32.exe File opened for modification C:\Windows\SysWOW64\Fqbeapqb.exe Fpphlp32.exe File created C:\Windows\SysWOW64\Lqleqg32.exe Lgcqhagp.exe File created C:\Windows\SysWOW64\Jiqjiojc.exe Jphepidb.exe File opened for modification C:\Windows\SysWOW64\Klflfi32.exe Jeldiolb.exe File created C:\Windows\SysWOW64\Gklnmgic.exe Gdbeqmag.exe File opened for modification C:\Windows\SysWOW64\Giakoc32.exe Gklnmgic.exe File created C:\Windows\SysWOW64\Bcnomjbg.exe Beibln32.exe File created C:\Windows\SysWOW64\Appikd32.exe Aekenl32.exe File created C:\Windows\SysWOW64\Ollkge32.dll Fdlfeh32.exe File opened for modification C:\Windows\SysWOW64\Mookod32.exe Mpeebhhf.exe File created C:\Windows\SysWOW64\Fjdqbbkp.exe Fdkheh32.exe File created C:\Windows\SysWOW64\Efeaqi32.exe Egpdom32.exe File created C:\Windows\SysWOW64\Bqnhll32.dll Kceehijb.exe File created C:\Windows\SysWOW64\Fjjgda32.dll Ikaglgei.exe File created C:\Windows\SysWOW64\Gnjmmlfg.dll Bhoikfbb.exe File created C:\Windows\SysWOW64\Kkmddm32.dll Fjdqbbkp.exe File opened for modification C:\Windows\SysWOW64\Khakhg32.exe Kjmnfk32.exe File opened for modification C:\Windows\SysWOW64\Njnion32.exe Njklioqd.exe File opened for modification C:\Windows\SysWOW64\Bmogkkkd.exe Bokfaflj.exe File created C:\Windows\SysWOW64\Knlpphnd.exe Kdckgc32.exe File opened for modification C:\Windows\SysWOW64\Fmggdm32.exe Fdockgqp.exe File created C:\Windows\SysWOW64\Lppgfkpd.exe Lmondpbc.exe File created C:\Windows\SysWOW64\Anlkakqa.exe Abejlj32.exe File created C:\Windows\SysWOW64\Fddfbm32.dll Ekjjebed.exe File opened for modification C:\Windows\SysWOW64\Ilianckh.exe Iihhmhng.exe File created C:\Windows\SysWOW64\Occgce32.exe Okhboc32.exe File created C:\Windows\SysWOW64\Gcpfbhof.exe Gjhbic32.exe File created C:\Windows\SysWOW64\Nkddkk32.exe Nomdfjpo.exe File created C:\Windows\SysWOW64\Oaecne32.exe Oijnib32.exe File created C:\Windows\SysWOW64\Ginefe32.exe Glhhgahg.exe File created C:\Windows\SysWOW64\Egbffj32.exe Emieflec.exe File opened for modification C:\Windows\SysWOW64\Gbmbgngb.exe Fmnmih32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2144 524 WerFault.exe 774 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocmbjhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcghffen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcidqlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpncdfkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Indkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcpfbhof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkgllndq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhadob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmdgmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehechn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cijmjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkdknq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbelfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbmkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocloj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlfjjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjqinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeaqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbemjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijipbchn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgfciee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djaedbnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eapcjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkggjpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihehbpel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqleqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njialh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bciaqnje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkncmhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhjfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfmkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbgnpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibbioilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmigdend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdoblckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmogkkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgkap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njklioqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelcjkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabnokkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adkbgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikooghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babdhlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbmoke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labamcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnlohdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdadie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofohfeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpjpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcqhagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlhmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idojon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpglom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jandikbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhonegbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbbmmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pockoeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdockgqp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipahplk.dll" Jbmgapgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofmeffb.dll" Nmifla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feljja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbdamjng.dll" Kkqjmlhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkaihkih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igdndl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcigjolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbmgapgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmnnomnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pokkkgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jibfqd32.dll" Ddeammok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akdgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abjnei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknmgkpa.dll" Bomcgfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgjiifh.dll" Dlmcaijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjeedcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lacmbg32.dll" Ibbioilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjdqbbkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knldaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfjegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmcjldbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ondcacad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kgdijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncogge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neilfn32.dll" Jaklei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdckgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfpgkicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Okkhhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjgoff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnmqbaeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnahndn.dll" Cdhgegfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhdhqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcpglhpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddfnjikf.dll" Fnfekdpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aekenl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jocdqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dgphpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plbbmjhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ahlnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odknmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeecibci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnoamj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cblniaii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haqbcoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnkhfnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfpkfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npoomg32.dll" Nabegpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bomnnc32.dll" Pkalph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmdamojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncogge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnijidk.dll" Cnifia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hblidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihefjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blaficqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibjkfpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kopldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgpjcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laejih32.dll" Epfnkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdlfeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppnpfagc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkhbfcii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Haadlh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 3008 1680 15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe 29 PID 1680 wrote to memory of 3008 1680 15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe 29 PID 1680 wrote to memory of 3008 1680 15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe 29 PID 1680 wrote to memory of 3008 1680 15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe 29 PID 3008 wrote to memory of 2856 3008 Kdincdcl.exe 30 PID 3008 wrote to memory of 2856 3008 Kdincdcl.exe 30 PID 3008 wrote to memory of 2856 3008 Kdincdcl.exe 30 PID 3008 wrote to memory of 2856 3008 Kdincdcl.exe 30 PID 2856 wrote to memory of 2864 2856 Kppohf32.exe 31 PID 2856 wrote to memory of 2864 2856 Kppohf32.exe 31 PID 2856 wrote to memory of 2864 2856 Kppohf32.exe 31 PID 2856 wrote to memory of 2864 2856 Kppohf32.exe 31 PID 2864 wrote to memory of 2748 2864 Kihcakpa.exe 32 PID 2864 wrote to memory of 2748 2864 Kihcakpa.exe 32 PID 2864 wrote to memory of 2748 2864 Kihcakpa.exe 32 PID 2864 wrote to memory of 2748 2864 Kihcakpa.exe 32 PID 2748 wrote to memory of 2716 2748 Kikpgk32.exe 33 PID 2748 wrote to memory of 2716 2748 Kikpgk32.exe 33 PID 2748 wrote to memory of 2716 2748 Kikpgk32.exe 33 PID 2748 wrote to memory of 2716 2748 Kikpgk32.exe 33 PID 2716 wrote to memory of 2616 2716 Lpbhmiji.exe 34 PID 2716 wrote to memory of 2616 2716 Lpbhmiji.exe 34 PID 2716 wrote to memory of 2616 2716 Lpbhmiji.exe 34 PID 2716 wrote to memory of 2616 2716 Lpbhmiji.exe 34 PID 2616 wrote to memory of 1660 2616 Mpeebhhf.exe 35 PID 2616 wrote to memory of 1660 2616 Mpeebhhf.exe 35 PID 2616 wrote to memory of 1660 2616 Mpeebhhf.exe 35 PID 2616 wrote to memory of 1660 2616 Mpeebhhf.exe 35 PID 1660 wrote to memory of 1172 1660 Mookod32.exe 36 PID 1660 wrote to memory of 1172 1660 Mookod32.exe 36 PID 1660 wrote to memory of 1172 1660 Mookod32.exe 36 PID 1660 wrote to memory of 1172 1660 Mookod32.exe 36 PID 1172 wrote to memory of 580 1172 Ndbjgjqh.exe 37 PID 1172 wrote to memory of 580 1172 Ndbjgjqh.exe 37 PID 1172 wrote to memory of 580 1172 Ndbjgjqh.exe 37 PID 1172 wrote to memory of 580 1172 Ndbjgjqh.exe 37 PID 580 wrote to memory of 3036 580 Ncggifep.exe 38 PID 580 wrote to memory of 3036 580 Ncggifep.exe 38 PID 580 wrote to memory of 3036 580 Ncggifep.exe 38 PID 580 wrote to memory of 3036 580 Ncggifep.exe 38 PID 3036 wrote to memory of 2972 3036 Onhnjclg.exe 39 PID 3036 wrote to memory of 2972 3036 Onhnjclg.exe 39 PID 3036 wrote to memory of 2972 3036 Onhnjclg.exe 39 PID 3036 wrote to memory of 2972 3036 Onhnjclg.exe 39 PID 2972 wrote to memory of 2248 2972 Ojoood32.exe 40 PID 2972 wrote to memory of 2248 2972 Ojoood32.exe 40 PID 2972 wrote to memory of 2248 2972 Ojoood32.exe 40 PID 2972 wrote to memory of 2248 2972 Ojoood32.exe 40 PID 2248 wrote to memory of 1704 2248 Papmlmbp.exe 41 PID 2248 wrote to memory of 1704 2248 Papmlmbp.exe 41 PID 2248 wrote to memory of 1704 2248 Papmlmbp.exe 41 PID 2248 wrote to memory of 1704 2248 Papmlmbp.exe 41 PID 1704 wrote to memory of 2908 1704 Ppgfciee.exe 42 PID 1704 wrote to memory of 2908 1704 Ppgfciee.exe 42 PID 1704 wrote to memory of 2908 1704 Ppgfciee.exe 42 PID 1704 wrote to memory of 2908 1704 Ppgfciee.exe 42 PID 2908 wrote to memory of 368 2908 Aekelo32.exe 43 PID 2908 wrote to memory of 368 2908 Aekelo32.exe 43 PID 2908 wrote to memory of 368 2908 Aekelo32.exe 43 PID 2908 wrote to memory of 368 2908 Aekelo32.exe 43 PID 368 wrote to memory of 2216 368 Aniffaim.exe 44 PID 368 wrote to memory of 2216 368 Aniffaim.exe 44 PID 368 wrote to memory of 2216 368 Aniffaim.exe 44 PID 368 wrote to memory of 2216 368 Aniffaim.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe"C:\Users\Admin\AppData\Local\Temp\15239eab63691271a1e9303884266901dd463f42bfc36639de9b290a37493ad8N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Kppohf32.exeC:\Windows\system32\Kppohf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Kikpgk32.exeC:\Windows\system32\Kikpgk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Lpbhmiji.exeC:\Windows\system32\Lpbhmiji.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Mpeebhhf.exeC:\Windows\system32\Mpeebhhf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ndbjgjqh.exeC:\Windows\system32\Ndbjgjqh.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ojoood32.exeC:\Windows\system32\Ojoood32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Papmlmbp.exeC:\Windows\system32\Papmlmbp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Cofohkgi.exeC:\Windows\system32\Cofohkgi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Dcojbm32.exeC:\Windows\system32\Dcojbm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1396 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Eleobngo.exeC:\Windows\system32\Eleobngo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Feppqc32.exeC:\Windows\system32\Feppqc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Febmfcjj.exeC:\Windows\system32\Febmfcjj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Fdhigo32.exeC:\Windows\system32\Fdhigo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Ginefe32.exeC:\Windows\system32\Ginefe32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Hfiofefm.exeC:\Windows\system32\Hfiofefm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe36⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Jnlfjjpl.exeC:\Windows\system32\Jnlfjjpl.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Jckkhplq.exeC:\Windows\system32\Jckkhplq.exe38⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Jmhile32.exeC:\Windows\system32\Jmhile32.exe39⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe40⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe42⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Khdgabih.exeC:\Windows\system32\Khdgabih.exe43⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Kdoaackf.exeC:\Windows\system32\Kdoaackf.exe45⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe46⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Lgpjcnhh.exeC:\Windows\system32\Lgpjcnhh.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe48⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Llooad32.exeC:\Windows\system32\Llooad32.exe49⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe50⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Obniel32.exeC:\Windows\system32\Obniel32.exe51⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe52⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Peooek32.exeC:\Windows\system32\Peooek32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Pafpjljk.exeC:\Windows\system32\Pafpjljk.exe54⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Pnjpdphd.exeC:\Windows\system32\Pnjpdphd.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Qajiek32.exeC:\Windows\system32\Qajiek32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Qfganb32.exeC:\Windows\system32\Qfganb32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Alfflhpa.exeC:\Windows\system32\Alfflhpa.exe59⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Aogpmcmb.exeC:\Windows\system32\Aogpmcmb.exe60⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Afngoand.exeC:\Windows\system32\Afngoand.exe61⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Abehcbci.exeC:\Windows\system32\Abehcbci.exe62⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Aolihc32.exeC:\Windows\system32\Aolihc32.exe63⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Bkbjmd32.exeC:\Windows\system32\Bkbjmd32.exe64⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Bhfjgh32.exeC:\Windows\system32\Bhfjgh32.exe65⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe66⤵PID:388
-
C:\Windows\SysWOW64\Bcbhmehg.exeC:\Windows\system32\Bcbhmehg.exe67⤵PID:2524
-
C:\Windows\SysWOW64\Bnhljnhm.exeC:\Windows\system32\Bnhljnhm.exe68⤵
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\Bpieli32.exeC:\Windows\system32\Bpieli32.exe69⤵PID:2280
-
C:\Windows\SysWOW64\Cfemdp32.exeC:\Windows\system32\Cfemdp32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:236 -
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe71⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe72⤵PID:2804
-
C:\Windows\SysWOW64\Cobkhe32.exeC:\Windows\system32\Cobkhe32.exe73⤵PID:2820
-
C:\Windows\SysWOW64\Chkpakla.exeC:\Windows\system32\Chkpakla.exe74⤵PID:1044
-
C:\Windows\SysWOW64\Chmlfj32.exeC:\Windows\system32\Chmlfj32.exe75⤵PID:2720
-
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe76⤵PID:2736
-
C:\Windows\SysWOW64\Djaedbnj.exeC:\Windows\system32\Djaedbnj.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Dfhficcn.exeC:\Windows\system32\Dfhficcn.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Dihojnqo.exeC:\Windows\system32\Dihojnqo.exe79⤵PID:2252
-
C:\Windows\SysWOW64\Dcnchg32.exeC:\Windows\system32\Dcnchg32.exe80⤵PID:2396
-
C:\Windows\SysWOW64\Dcppmg32.exeC:\Windows\system32\Dcppmg32.exe81⤵PID:2064
-
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe82⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Egbffj32.exeC:\Windows\system32\Egbffj32.exe83⤵PID:2200
-
C:\Windows\SysWOW64\Eakjophb.exeC:\Windows\system32\Eakjophb.exe84⤵PID:2228
-
C:\Windows\SysWOW64\Eckcak32.exeC:\Windows\system32\Eckcak32.exe85⤵PID:2684
-
C:\Windows\SysWOW64\Eapcjo32.exeC:\Windows\system32\Eapcjo32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Fhlhmi32.exeC:\Windows\system32\Fhlhmi32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Fadmenpg.exeC:\Windows\system32\Fadmenpg.exe88⤵PID:1636
-
C:\Windows\SysWOW64\Fioajqmb.exeC:\Windows\system32\Fioajqmb.exe89⤵PID:2128
-
C:\Windows\SysWOW64\Ffcbce32.exeC:\Windows\system32\Ffcbce32.exe90⤵
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe91⤵PID:2688
-
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe92⤵PID:1560
-
C:\Windows\SysWOW64\Gkgdbh32.exeC:\Windows\system32\Gkgdbh32.exe93⤵PID:1456
-
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe94⤵
- System Location Discovery: System Language Discovery
PID:332 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe95⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Gklnmgic.exeC:\Windows\system32\Gklnmgic.exe96⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe97⤵PID:2740
-
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe98⤵PID:2440
-
C:\Windows\SysWOW64\Hocmbjhn.exeC:\Windows\system32\Hocmbjhn.exe99⤵
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Lhgeao32.exeC:\Windows\system32\Lhgeao32.exe100⤵PID:1584
-
C:\Windows\SysWOW64\Mcafbm32.exeC:\Windows\system32\Mcafbm32.exe101⤵PID:1260
-
C:\Windows\SysWOW64\Mikooghn.exeC:\Windows\system32\Mikooghn.exe102⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe103⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Mgalnk32.exeC:\Windows\system32\Mgalnk32.exe104⤵PID:2672
-
C:\Windows\SysWOW64\Mibeofaf.exeC:\Windows\system32\Mibeofaf.exe105⤵PID:1220
-
C:\Windows\SysWOW64\Mamjchoa.exeC:\Windows\system32\Mamjchoa.exe106⤵PID:2420
-
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe107⤵PID:1488
-
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe108⤵PID:2476
-
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe109⤵PID:572
-
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe110⤵PID:1132
-
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe111⤵PID:3012
-
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe112⤵PID:1604
-
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe113⤵PID:2756
-
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe114⤵PID:2812
-
C:\Windows\SysWOW64\Ocoobngl.exeC:\Windows\system32\Ocoobngl.exe115⤵PID:2600
-
C:\Windows\SysWOW64\Omgckcmm.exeC:\Windows\system32\Omgckcmm.exe116⤵PID:1916
-
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe117⤵PID:3044
-
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe118⤵PID:2152
-
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe119⤵PID:2204
-
C:\Windows\SysWOW64\Pmbfoh32.exeC:\Windows\system32\Pmbfoh32.exe120⤵PID:2776
-
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe121⤵PID:2576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-